10/506964 

WO 03/077246 PCT/GB03/01006 

, ttRWdPOT/flo QASFP JMl 
. Hi^Cim/FTO .0 8 SEP W • 

Copy Protection System for Data Carriers 

Field of the Invention 

This invention concerns methods, software and formats for preventing or restricting 
copying of data, particularly as recorded in digital form on a carrier such as optical disc 
5 media. In this description optical disc media is intended to include compact discs (CDs), 
CD-ROMs and Digital Versatile Discs (DVDs), as well as similar media that may be read 
using electromagnetic radiation outside the visible range. 

Background of the Invention 

CD audio discs contain at least a first session formatted in compliance with the well 
10 known 'Red Book', also known as Standard 908 of the International Electrotechnical 
Commission (IEC) entitled 'Compact Disc Digital Audio System' (Geneva, Switzerland, 
1987). 

CD-ROMs contain one or more sessions formatted in compliance with the 4 Yellow 
Book' standard and normally its extension 'System Description CD-ROM XA\ which 
15 includes a data retrieval structure based on ISO 9660. The 'Yellow Book' standard 
incorporates the 'Red Book' standard, so that CD data drives can play audio data as well as 
read non-audio data. Multisession CD-R and CD-RW discs comply with the Orange Book 
standard. 

In this specification, a distinction will be made between 'audio CD players', which 
20 need only be able to read CDs complying with the Red Book standard, and 'CD-ROM 
drives', which are able to read CD's complying with the Yellow Book standards, and 
normally the Orange Book standard as well. Audio CD players are generally stand-alone 
devices having no other functionality than audio reproduction, although they may be 
integrated with other devices. CD-ROM drives are peripherals for general-purpose 
25 computers or other similar devices which are able to load and run application programs 
selected by the user. 



The advent of recordable CDs (CD-R) has made it generally easy and inexpensive 
to make unauthorised copies of audio CDs and CD-ROMs; for example by copying the 
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entire contents of an audio CD to a computer hard disc and then writing this to a CD-R. 
The potential loss of revenue to recording companies from such activities is considerable, 
and indeed its impact has already been felt. Consequently, there is a need to prevent such 
unauthorised copying. 

5 Red Book compliant CDs contain a great deal of information which is not 

necessary purely for playing audio tracks and which is ignored by most audio-only players. 
Hence, one approach to preventing unauthorised copying has been to deviate from Red 
Book compliance in a way that is ignored by audio CD players, but causes an error in a 
CD-ROM drive. 

Examples of this approach are described in WO 00/74053, in which selected 
control data is rendered inaccurate or incorrect; the Table of Contents (TOC) may identify 
the audio tracks as data tracks, or may incorrectly identify the position of the Lead-Out. 
WO 02/075735, published after the priority date of the present application, discloses 
identifying the first session as CD-ROM data when it actually contains audio tracks. EP 
1239472, published after the priority date of the present application, also discloses the idea 
of identifying audio tracks as data tracks in the TOC. 

However, a CD copying application running on a computer to which a CD-ROM 
drive is connected may be programmed to ignore inaccurate or incorrect control 
information, such as inaccurate TOC entries. 

20 The techniques mentioned above are intended to prevent reading of audio tracks by 

a CD-ROM drive, and thereby prevent storage of the tracks on a computer and subsequent 
recording or distribution on some other medium. However, some users like to play audio 
CDs on their computers. Hence, there is also a need to provide audio tracks in such a way 
that they can be played on a CD-ROM drive but cannot be re-recorded or distributed. 

25 One solution to this problem has been to provide the audio tracks in a first session 

which cannot be read by a CD-ROM drive, and to provide an encrypted version of the 
audio tracks in a second session. The encrypted tracks can only be decrypted and played by 
a player program which plays the audio data by converting it to audio signals. 
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However, in systems which use a universal encryption key or set of keys, all 
content encoded with the universal key(s) can be decrypted once the key(s) are discovered. 
If different keys are used for each carrier, some means must be devised for distributing the 
key appropriate to each carrier. 

5 Statement of the Invention 

According to one aspect of the invention, a track is recorded on a compact disc in a 
format including a lead-in indicating a track start address and a subchannel which changes 
state at a payioad start address, subsequent to the track start address. Data recorded at the 
track start address includes unrecoverable data. 

10 Where the track is an audio track, an audio CD player does not ignore the track 

start address, but begins to search sequentially from the track start address until it detects 
that the subchannel changes state, and reproduces the audio track from that point. A CD- 
ROM drive, on the other hand, begins to reproduce data from the track start address. When 
the unrecoverable data is read, the read operation is aborted, as it appears that the data has 

15 been corrupted. This operation cannot be easily circumvented, because it is not normally 
acceptable to ignore corrupt CD-ROM data. 

Preferably, the data recorded at the track start address also includes recoverable 
data, including a pointer to a player program stored on the compact disc. There may be a 
plurality of pointers to a corresponding plurality of player programs, one of the 
20 applications being selected according to the operating system of the device to which the 
CD-ROM drive is connected. 

Preferably, the content of the track is recorded without any incorrect or inaccurate 
information. 

A further important aspect of the invention is the ability to play the compact disc on 
25 a CD-ROM drive. This is achieved by compressing and encrypting tracks and recording 
the resulting data in a second, data session on the disc. 

The second session data is recorded in the following manner: the data is first split 
into logical blocks that will fit into a 4 Yellow Book' (IEC) standard CD sector (also known 
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as a logical block). Each of these blocks is then encrypted using an encryption key derived 
from its logical block address (LBA) or position on the disc. The data resulting from this 
process is then written to the disc at this position (LBA) using conventional mastering and 
recording methods. This compressed data is not accessible by conventional player 
5 software. 

The data is made accessible to a computer, by including in this second session a 
player program that is executable by the computer. The player program has the ability to 
locate, decrypt and decompress the data, but prevents the data from being re-recorded or 
distributed. 

10 Brief Description of the Drawings 

A detailed description of the preferred embodiments will now be described with 
reference to the accompanying drawings, in which: 

Figure 1 is a diagram of a track format including encapsulating data, in an 
embodiment of the invention; 

15 Figure 2 is a diagram showing pointers in the encapsulating data to second session 

data; 

Figure 3 is a diagram illustrating an encryption scheme used for the second session 

data 

Figure 4a is a diagram of a driver chain between an application and a CD-ROM 

20 drive; 

Figure 4b is a diagram showing the insertion of a supervisory program in the driver 
chain; and 

Figure 5 is diagram illustrating the stages of manufacture of a compact disc 
according to the embodiment. 
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Description of the Embodiments 

In an embodiment of the invention, a compact disc (CD) carries a first session 
conforming with the Red Book or Yellow Book standard, depending on whether its content 
is audio or data, except for deviations from the standard as described below. 

5 In accordance with the standard, the first session contains a Lead-in, a program area 

containing one or more tracks, and a Lead-out. The tracks may all be audio tracks, in 
accordance with the Red Book standard, or data tracks, in accordance with the Yellow 
Book standard. The Lead-in includes a table of contents (TOC), containing the absolute 
times (ATIME) of the start of each track and of the Lead-out, and identifying the type (i.e. 

1 0 audio or data) of each track. 

The data format of Red Book and Yellow Book standard CDs is well known, 
but the relevant parts are recited here for ease of understanding. Each frame of data 
which is modulated and recorded on the CD includes one subcode byte. Each bit of the 
subcode byte corresponds to a different subcode channel, labelled from P to W. The P- 
15 channel simply indicates the start and end of each track. The Q-channel contains time 
codes, track type and catalogue information and, in the Lead-in, the TOC. The time 
codes comprise ATIME, the absolute time elapsed since the start of the session, and 
PTIME, which decreases during a gap between tracks. Each track is preceded by a 
pause, normally of 2 seconds. 

20 Data Encapsulation 

In this embodiment of the invention, the TOC indicates the absolute time position 
ATOC of the start of a track, which has a format as shown in Figure 1. The track begins 
with a pause or gap G. At the position indicated by ATOC is located encapsulating data ED 
comprising a plurality CD-ROM data sectors, at least some of which contain unrecoverable 
25 data. 

The unrecoverable data may have one or more of sync information, error detection 
code (EDC) or error correction code (ECC) corrupted to the extent that the data is 
unrecoverable. Alternatively, an incorrect value of ATIME may be written in each sector 
header, while the EDC and the ECC indicate that this value is correct. 
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The encapsulating data ED is followed sequentially at an absolute time position AP 
by payload data PD, which conforms entirely with the appropriate Red or Yellow Book 
standard for the relevant track type. The track type is indicated as data in the TOC. 

The P channel bit stays high at the position ATOC, but goes low at the position AP. 

5 At this point, the value of FITME begins to increment, the index IDX changes from 00 
(indicating a pause) to 01 (indicating a track). The control channel CTRL has initially the 
value 4, indicating a data track, and after AP has the value appropriate to the track type of 
the payload data PD. In this case, the payload data is audio data, so CTRL changes to the 
value 0. Throughout this period, the track number TNO stays the same (indicated as the 

10 value XX in Figure 1). This format may be applied to each track in a session, or only to 
some tracks. 

When the track is played by a CD-ROM drive, the drive reads the position ATOC 
from the TOC and starts reading at that position. When the unrecoverable data is read, an 
error condition is generated and the data reading operation is aborted. 

15 When the track is played by an audio CD player, the player starts to look for the 

track at the position ATOC but also examines other control data, such as the P channel and 
the index IDX, to determine the start position of the track. The player therefore starts to 
read the track from the time AP, thereby avoiding the encapsulating data ED and playing 
the track as a normal audio track. 

20 By this method, a CD-ROM drive encounters an error in the data itself, rather than 

in the control information. The method cannot be circumvented simply by ignoring all data 
errors, because there may be unintentional data errors elsewhere on the CD which cannot be 
ignored. 

The payload data may be audio, video, game software or other data. In each case, a 
25 dedicated player may be able to find the payload start position AP and to ignore the 
encapsulation data ED, but a CD-ROM drive will attempt to read the encapsulation data ED 
and report a data error. 

Encrypted Second Session 

On the other hand, it is desirable to allow the CD-ROM player to play tracks in such 
30 a way that they cannot be re-recorded or distributed. This is facilitated in the embodiment 
by one or more pointers, contained within one or more recoverable sectors of the 
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encapsulation data ED, indicating the position on the CD of a player program which is able 
to play tracks contained within a second session on the CD. This is illustrated in Figure 2, 
where a set of tracks within the first session each contains encapsulation data ED including 
a pointer EDP to a location within the second session SS where a player program PP is 
5 stored. The pointers are copies of the ISO 9660 Primary Volume Descriptor (PVD), 
Secondary Volume Descriptor (SVD) and Volume Set Terminator (VST) variables, which 
are stored in sectors 16-18 relative to the start of each track. 

The second session SS conforms to the IEC 'Yellow Book' standard and the EEC 
'Orange Book' standard for multi-sessions. This session contains the player program and 
10 any associated files, which are accessible and/or executable by the computer operating 
system and also encrypted data files containing the tracks, these latter files not being 
accessible or playable, except by the player program. For example, when a protected disc is 
viewed by a PC file manager only the player program and any files directly associated with 
the program will be visible. 

The encryption method will now be described with reference to Figure 3. The data 
D is divided into segments SEG1 to SEGn allocated to corresponding sectors SEC1 to 
SECn having corresponding logical sector addresses LBA1 to LB An within the second 
session area of the disc. For each sector, an algorithm is used to derive an encryption key Ki 
from the logical sector address LBAi of the start of that sector. Preferably, a different 
encryption key is derived for each sector. The corresponding segment SEGi is encrypted 
using the respective encryption key Ki, compressed, and recorded in that sector SECi. 

Each sector on the disc normally contains 2048 bytes of consecutive encrypted 
digital data, each sector being encrypted with a different key. This block size is dictated by 
the Yellow Book standard, but in principle, data may be encrypted using any convenient 
25 block size. Using too large a block size is undesirable, as it would result in less variation in 
the encryption; this should be avoided. The logical sector address LBAI corresponding to 
the start of each track is known to the player program, this data being hidden within the 
player program code or at a location on the disc known to the player program. The player 
code also includes the algorithm in compiled form. 
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The data D may be spread over several consecutive sectors SEC1 to SECn. A 
particular track will normally comprise many thousand consecutive sectors on the disc. 
Thus, when a track is selected, the player program knows the start logical sector address 
LBA1 and can derive the key Kl to allow data from the first sector SEC1 to be decrypted. 

5 Having read the first sector, the player program knows that the next sector starts at LBA2 
consecutive to the last LB A of the first sector SEC1. Knowing LBA2, the player program 
can use the algorithm to derive the new key K2 and so decrypt data in the second sector 
SEC2. In this way, the player program can decrypt consecutive sectors, each time deriving 
a new key. In an alternative embodiment, sectors may be randomly addressed, but it is then 

10 necessary to know explicitly the start address of each sector. 

The encryption system in this embodiment has a number of advantages over known 
systems. If an unauthorized copier discovers both LBA1 and Kl, this only allows the first 
sector SEC1 to be recovered. The key K2 to the next consecutive sector SEC2 will 
normally be completely different. The algorithm used to derive the keys is compiled, either 
15 within the player program or accessible by the player program, and cannot easily be 
analysed. 

Further, if by some means the consecutive encrypted segments are copied, for 
example to a hard disc and the player program is run and directed to the first sector, it will 
generate wrong keys for each sector because it would need to know the original sector 
20 addresses LBA of the copied material. The sectors occupied on the hard disc will almost 
certainly differ from those on the original compact disc. Hence, the copied material will not 
be decrypted by the player program. 

Each segment SEG is preferably compressed using an appropriate compression 
algorithm before being recorded in the corresponding sector SEC. In the case of audio data, 
25 this advantageously reduces the space required for the second session SS and therefore 
allows more tracks to be included, both in the first and second sessions. The tracks need not 
be identical between the first and second sessions; for example, bonus tracks may be 
available in one session but not the other. 
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Supervisory Program 

Preferably, a disc produced according to the embodiment contains hidden software 
that is activated when the computer operating system first accesses the disc; this may be 
done automatically using an 'autorun' function of the operating system. The software 
5 instantiates a memory resident supervisory program that monitors access to the protected 
disc. When the disc is removed, the supervisory program is removed from the memory of 
the PC. The supervisory program is also designed to monitor the activity of the disc, 
including disc speed and disc access type (digital or audio) and ensures reliable playback of 
the disc content. 

10 The supervisory program inserts itself or part of itself into the operating system 

driver chain. As illustrated in Figure 4b, a driver chain is a computer operating system 
feature, where an application APP communicates with a higher level HL of the chain. This 
higher level HL communicates with a lower level LL which communicates with the CD- 
ROM drive. The driver chain presents a standard application program interface API to the 
15 application program APP for communicating with a large variety of hardware devices. As 
shown in Figure 4b, the supervisory program SP inserts itself into this driver chain by 
modifying the chain pointers in the next highest and lowest levels, and can therefore 
monitor all communications from the application program APP to the CD-ROM drive. The 
supervisory program SP performs command monitoring and disc monitoring functions. 

Command Monitoring 

The command monitoring function intercepts commands, such as SCSI or AT API 
commands, sent by the application APP to the CD-ROM drive and determines whether the 
commands indicate an unauthorised activity, such as the reading of data from the disc by an 
application that is not the player program. If an unauthorised activity is detected, the 
relevant command is blocked by the supervisory program and cannot continue down the 
driver chain to the CD-ROM. A command response is generated by the supervisory 
program and is returned up the driver chain to the application. The response may be an 
error message or dummy data, which appear to have originated from the CD-ROM drive, 
and prevent the application from performing the desired operation. 
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Disc Monitoring 

The disc monitoring functions involve monitoring data read by the CD-ROM and 
passed along the driver chain to the application. If unauthorised activity is detected, the 
read operation is prevented. 

5 The supervisory program SP may, for example calculate the average data transfer 

rate, disc speed or the type of read operation that is being attempted. When a disc is being 
played in a computer using the player program, the average playback speed of the disc will 
be very low, since compressed data is being read from the second session at real time. 
Typically, data is compressed at a ratio of about 10 to 1; therefore, the average data rate 
10 when playing the compressed data over the same period will be about 1/10 speed in this 
case. 

The compressed data may read from the disc in blocks at a high speed (burst 
speed), followed by a much longer period of inactivity. The burst speed could in fact be 
anything up to and including the maximum read speed of the CD-ROM drive, but for very 
15 short periods. On the other hand, CD copying software typically will try to copy at the 
highest speed possible for a sustained period. The supervisory program monitors the 
average data reading speed over a predetermined period, such as ten seconds. If the average 
speed exceeds a threshold, then the read operation is prevented. 

The supervisory program may monitor the position of the read head of the CD- 
20 ROM and thereby identify whether the first or second session is being accessed. If the first 
session is being accessed, the supervisory program prevents the read operation. 

The read operation may be prevented by blocking the data from reaching the 
application. An eject command may also be sent to the CD-ROM. 

The supervisory program interacts with the player program to prevent unauthorised 
25 activities. If the player program is not open, or is closed by the user while the disc is still in 
the CD-ROM drive, then the supervisory program sends an eject command to the CD- 
ROM drive. Likewise, if a protected disc is no longer present in the CD-ROM drive, the 
supervisory program closes itself down. 
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Where there is more than one protected disc accessible to the computer at the same 
time in different drives, the supervisory program, when launched by the insertion of a 
protected disc, determines whether there is another instance of itself already running. If so, 
the drive containing the new disc is added to a list of drives monitored by the other 
5 instance. If not, the new instance of the supervisory program is deployed. Once all of the 
monitored drives no longer contain a protected disc, the supervisory program removes 
itself from the system. 

In general, the supervisory program is designed to detect any access to a protected 
disc other than the player program accessing the second session. If the disc is accessed in 
10 any other way the activity will be judged illegal and interventional action will be taken by 
the supervisory program. The supervisory program identifies a protected disc by 
recognising a signature which forms part of the disc format structure, and does not prevent 
the copying of an ordinary disc or interfere with the general performance and/or activities 
of the computer. 

15 CD Production 

To produce a CD formatted according to an embodiment of the invention requires 
special software to be used during the mastering process, which is illustrated in Figure 5. 
The source data D for one or more tracks is provided on a carrier, which may itself be a 
recordable CD or a digital tape. The source data is formatted (S10) by software to generate 

20 a first session and a second session in the format described above, including the player 
program and the supervisory program, for recording on the CD. The formatted data is 
recorded (S20) on a CD master, using for example a laser beam recorder which writes the 
data on a coated glass master. The glass master is developed (S30) to produce a metallized 
glass master M. The master may be used to produce one or more stampers S by an 

25 electroforming process (S40). CDs are mass-produced from the stamper S by a stamping 
process (S50). In an alternative embodiment suitable for low volume production, 
recordable CD's may be recorded directly with the formatted data. 

The formatted data may be recorded as a data set for input to the recorder at a 
subsequent time. 
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Embodiments of the invention include CD production software for formatting data 
and/or controlling a recording process to generate one or more CD's having a format in 
accordance with an embodiment of the invention. Embodiments also include formatted 
data having a structure as defined above. 

5 The production software may allow the algorithm that derives the keys from the 

sector addresses to be varied for each master M produced. Advantageously, routine 
variations in the algorithm used for manufacturing a given master M can result in 
completely different keys being derived for a given sector address. The production 
software modifies the code of the player program that is also recorded on the disc so that it 

10 contains the algorithm used in the encryption step, thus allowing the player program to 
decrypt the data session. 

The above embodiments are provided purely by way of example. Alternatives, which may 
be apparent to the skilled person on reading the specification, may nevertheless fall within 
the invention as defined by the claims. 



15 



